Debian / SE/Linux (resend due to html bounce)

Luke Kenneth Casson Leighton lkcl at lkcl.net
Sun May 30 21:41:17 EST 2004


Content-Description: Undelivered Message
From: Luke Kenneth Casson Leighton <lkcl at lkcl.net>
To: Damien Miller <djm at mindrot.org>
Cc: openssh-unix-dev at mindrot.org, pam-list at redhat.com,
	SE-Linux <selinux at tycho.nsa.gov>, hartmans at debian.org
Subject: Re: Debian / SE/Linux -	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664
Mail-Followup-To: Damien Miller <djm at mindrot.org>,
	openssh-unix-dev at mindrot.org, pam-list at redhat.com,
	SE-Linux <selinux at tycho.nsa.gov>, hartmans at debian.org
X-SA-Exim-Connect-IP: 192.168.0.223
X-SA-Exim-Mail-From: lkcl at lkcl.net

On Sun, May 30, 2004 at 07:43:52PM +1000, Damien Miller wrote:
> Luke Kenneth Casson Leighton wrote:
> > dear openssh developers,
> > 
> > i was wondering if you were aware of some patches for security
> > enhancements to openssh - to support SE/Linux.
> 
> I eventually found a patch at:
> 
> http://www.nsa.gov/selinux/patches/openssh-selinux.patch.gz
> (from http://www.nsa.gov/selinux/code/download5.cfm)
> 
> but it doesn't seem to do much at all - the only code change is the
> marking of a ssh-agent fd to be close-on-exec.
 
 that, and the inclusion of  pam_selinux.so as a required session
 plugin, and the setting of a security context on the DSA and
 RSA keys in sshd initialisation (a redhat rpm thing?)

> Is this the patch that you are referring to?
 
  yes it is.

  the ssh-agent fd close-on-exec is actually a really important
  security bug because otherwise you end up with an open file
  descriptor being passed over to a process that should have no
  rights or use for it.

  SE/Linux is really cool in that respect: the audit process
  logged that this file handle was being passed over to a child
  process, and the policy for ssh-agent said that that wasn't
  allowed.

  cool, huh? :)

  [apparently, PAM has a similar bug in /sbin/unix_verify:

	   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248310

   but the debian maintainer for pam is being a bit of idiot
   and won't look at it.  sorry, mr hartmans, but it's bypass time,
   and your comments _are_ a matter of public record, after all]

  l.




More information about the openssh-unix-dev mailing list